Menu
Im trying to perform a parameterized query in SQLite from C#, and the method im using is along the lines of creating a static command with
SQLiteCommand cmd = new SQLiteCommand(
"SELECT [ID]" +
",[email]" +
",[serializedata]" +
",[restrictions]" +
" FROM " + UserTable +
" WHERE @search = @searchparam", SQLConnection);
cmd.Parameters.Add(new SQLiteParameter("@searchparam"));
cmd.Parameters.Add(new SQLiteParameter("@search"));
and calling it like this:
Command.Parameters["@searchparam"].Value = searchdata;
Command.Parameters["@search"].Value = search;
SQLiteDataAdapter slda = new SQLiteDataAdapter(UserSelectUsernameCommand);
DataSet ds = new DataSet();
slda.Fill(ds);
User[] array = new User[ds.Tables[0].Rows.Count];
int index = 0;
foreach (DataRow row in ds.Tables[0].Rows)
{
array[index] = new User(this, row);
index++;
}
return array;
but im getting an error along the line of " '@search' is not a correct column name " or something like that. if i use a constant column name, and only use the data for parameters it works, but i dont want to create 10 different commands for when i need to search by different column names.
What is the issue here?
955
SQLite doesn't support output parameters. Return values in the query results instead.
Click on Columns and drag it to the query window. This will enumerate the columns names in that given table separated by comma at the cursor position. (easier/faster than writing queries for an equivalent result!). sqlite> .
SQLite Case SensitivitySQLite is a case insensitive. Table names and column names can be typed in uppercase, lowercase, or mixed case, and different capitalizations of the same database object name can be used interchangeably.
Generally things like column names (or table names) can not be parameterised - and the fact that there are different indices means that it will have to be a different plan internally. So you will have to use concatenation - but be careful to white-list the known column names to prevent sql injection:
SQLiteCommand cmd = new SQLiteCommand(@"
SELECT [ID],[email],[serializedata],[restrictions]
FROM " + whiteListedUserTable + @"
WHERE [" + whiteListedColumnName + @"] = @searchparam", SQLConnection);
cmd.Parameters.Add(new SQLiteParameter("@searchparam"));
...
Command.Parameters["@searchparam"].Value = searchdata;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
